There is disclosed in an example a computer-implemented method of providing automated log analysis, including: receiving a log stream comprising a plurality of transaction log entries, the log entries comprising a time stamp, a component identification (ID), and a name value pair identifying a transaction; creating an index comprising mapping a key ID to a name value pair of a log entry; and selecting from the index a key ID having a relatively large number of repetitions. There is also disclosed an apparatus and computer-readable medium for performing the method.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method of providing automated log analysis, the method comprising the steps of: receiving a log stream with a plurality of transaction log entries; pre-processing, by parsing and structuring, the plurality of transaction log entries to a name-value format, each of the plurality of transaction log entries including a time stamp, a component identification, and a name-value pair identifying a transaction, the name-value pair including a name field paired with a value field; before creating an index, filtering the plurality of transaction log entries to eliminate any false positives; when the plurality of transaction log entries include the name-value format per the pre-processing: creating the index of the plurality of transaction log entries, with a key identification (ID) mapped to the component identification of each of the plurality of transaction log entries, selecting, from the index, the key ID based on a number of repetitions of the key ID; and based on the selection of the key ID, building without a priori knowledge, a transaction model; and when the plurality of transaction log entries do not include the name-value format per the pre-processing, diverting or rejecting the plurality of transaction log entries.
2. The method of claim 1 , wherein the filtering is performed if a same field value reappears with a same {component, field} pair after a time threshold.
3. The method of claim 1 , wherein the filtering is performed if a value appearing with a {component, field} pair is shared among multiple components within a time threshold.
4. The method of claim 1 , wherein, the pre-processing includes eliminating a field unlikely to be a meaningful transaction identifier, and the format is a set of {field name: field value} pairs.
5. The method of claim 4 , wherein the field unlikely to be the transaction identifier is selected from the group consisting of a uniform resource locator (URL), media access control (MAC) address, a floating point value, a common English word, and an integer value below a threshold.
6. The method of claim 5 , wherein the threshold is contextual.
7. The method of claim 1 , further comprising: defining, via the transaction model, transaction tracking rules configured to track the plurality of transaction log entries based on key ID.
8. A computing apparatus comprising: a log analysis engine comprising at least a processor and a memory, the log analysis engine configured to: receive a log stream with a plurality of transaction log entries; pre-process, by parsing and structuring, the plurality of transaction log entries to a name-value format, each of the plurality of transaction log entries including a time stamp, a component identification, and a name-value pair identifying a transaction, the name-value pair including a name field paired with a value field; before creation of an index, filter the plurality of transaction log entries to eliminate any false positives; when the plurality of transaction log entries include the name-value format per the pre-process: create the index of the plurality of transaction log entries, with a key identification (ID) mapped to the component identification of each of the plurality of transaction log entries, select, from the index, the key ID based on a number of repetitions; and based on the selection of the key ID, build without a priori knowledge, a transaction model; and when the plurality of transaction log entries do not include the name-value format per the pre-process, divert or reject the plurality of transaction log entries.
9. The apparatus of claim 8 , wherein filtering of the plurality of transaction log entries is performed by the log analysis engine if a same field value reappears with a same {component, field} pair after a time threshold.
10. The apparatus of claim 8 , wherein filtering of the plurality of transaction log entries is performed by the log analysis engine if a value appearing with a {component, field} pair is shared among multiple components within a time threshold.
11. The apparatus of claim 8 , wherein, pre-processing of the plurality of transaction log entries includes eliminating a field unlikely to be a transaction identifier, and the format is a set of {field name: field value} pairs.
12. The apparatus of claim 11 , wherein the field unlikely to be the transaction identifier is selected from the group consisting of a uniform resource locator (URL), media access control (MAC) address, a floating point value, a common English word, and an integer value below a threshold.
13. The apparatus of claim 12 , wherein the threshold is contextual.
14. The apparatus of claim 8 , wherein the log analysis engine is further configured to: define, via the transaction model, transaction tracking rules configured to track the plurality of transaction log entries based on key ID.
15. One or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions for instructing a processor to provide a log analysis engine configured to: receive a log stream with a plurality of transaction log entries; pre-process, by parsing and structuring, the plurality of transaction log entries to a name-value format, each of the plurality of transaction log entries including a time stamp, a component identification, and a name-value pair identifying a transaction, the name-value pair including a name field paired with a value field; before creation of an index, filter the plurality of transaction log entries to eliminate any false positives; when the plurality of transaction log entries include the name-value format per the pre-process: create the index of the plurality of transaction log entries, with a key identification (ID) mapped to the component identification of each of the plurality of transaction log entries, select, from the index, the key ID based on a number of repetitions; and based on the selection of the key ID, build without a priori knowledge, a transaction model; and when the plurality of transaction log entries do not include the name-value format per the pre-process, divert or reject the plurality of transaction log entries.
16. The one or more tangible, non-transitory computer-readable mediums of claim 15 , wherein filtering of foe plurality of transaction log entries is performed by the log analysis engine if a same field value reappears with a same {component field} pair alter a time threshold.
17. The one or more tangible, non-transitory computer-readable mediums of claim 15 , wherein filtering of foe plurality of transaction log entries is performed by the log analysis engine if a value appearing with a {component, field} pair is shared among multiple components within a time threshold.
18. The one or more tangible, non-transitory computer-readable mediums of claim 15 , wherein, pre-processing of the plurality of transaction log entries includes eliminating a field unlikely to be a transaction identifier, and the format is a set of {field name: field value} pairs.
19. The one or more tangible, non-transitory computer-readable mediums of claim 18 , wherein the field unlikely to be the transaction identifier is selected from the group consisting of a uniform resource locator (URL), media access control (MAC) address, a floating point value, a common English word, and an integer value below a threshold.
20. The one or more tangible, non-transitory computer-readable mediums of claim 15 , further comprising instructions for instructing a processor to: define, via the transaction model, transaction tracking rules configured to track the plurality of transaction log entries based on key ID.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
December 2, 2016
September 8, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.